Insecure WordPress blogs unwittingly host Blackhole malware attack

SophosLabs has intercepted a major malware campaign, spread via spam email and compromised self-hosted WordPress blogs, which attempts to infect computers using the notorious Blackhole exploit kit.

Be on your guard if you have received an email entitled “Verify your order”, as links contained within the email could take you to a poisoned webpage, designed to install malware onto your PC.

Here’s what a typical email looks like:

Malicious email

Sign up to our free newsletter.
Security news, advice, and tips.

Subject: Verify your order

Message body:
Dear [name],

please verify your order #[random number] at [LINK]

We hope to see you again soon!

WordPressThe websites that are being linked to aren’t ones that have been created by the malicious hackers.

They are legitimate websites that are running a self-hosted installation of the popular WordPress blogging platform. (Note, this does not include the many millions of bloggers who use the WordPress.com service – the vulnerable sites are those where people have installed their own WordPress software).

Unfortunately, some people haven’t properly secured their sites – which has allowed malicious hackers to plant malicious code from the Blackhole exploit kit, and means that malware is now downloading onto innocent users’ computers.

Sophos products detect the malware as Troj/PDFEx-GD, Troj/SWFExp-AI, Mal/ExpJS-N and Troj/Agent-XDM.

More and more of the attacks that we are intercepting involve the Blackhole exploit kit – recent examples include emails posing as traffic tickets from NYC, rejected wire transfer notifications and fake Facebook photo tag notifications.

Remember to not just keep your anti-virus software up-to-date, but also to ensure that any software you run on your web server is also properly secured, and kept patched and current (that includes blogging software like WordPress and any plugins that it might use).


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.